How Apple tracks your location without consent, and why it matters

A log file on your 3G-enabled iPhone or iPad shows nearly every place you've …

If you haven't yet enabled encrypted backups for your iPhone or iPad, now's definitely the time to start. Two security researchers have discovered a simple way to map out where you've been almost anywhere in the world—without any hacking involved. The information comes from a location cache file found within your iPhone's backups on your Mac or PC, bringing out serious privacy concerns and opening the door for a jealous spouse, thief, or even a crafty trojan to take a detailed look at your whereabouts. And it's information that no one should have access to—not even law enforcement, barring a court order.

Researchers Alasdair Allan and Pete Warden revealed their findings on Wednesday ahead of their presentation at the Where 2.0 conference taking place in San Francisco. The two discovered that the iPhone or 3G iPad—anything with 3G data access, so no iPod touch—are logging location data to a file called consolidated.db with latitude and longitude coodinates and a timestamp. The data collection appears to be associated with the launch of iOS 4 last June, meaning that many users (us at Ars included) have nearly a year's worth of stalking data collected.

In order to drive the point home, the two developed an open source application called iPhone Tracker that lets anyone with access to your computer see where you've been. For example, my log appears to start on June 23, 2010 (one day before the launch of the iPhone 4) and shows nearly every trip I've ever taken since then and when. You can see that I seem to spend most of my time in Chicago and occasionally the suburbs, with road trips down to Indianapolis, Cincinnati, Springfield, and Wichita. I also fly to New York City and San Francisco, and I have a few dots at the Tokyo Narita airport when I traveled through there in October.

Where in the world is Jacqui Cheng?

Slightly more zoomed in look at my whereabouts

What's not shown is a week-long trip I took to Hong Kong in October. Why? Because I left my iPhone's cellular and data connections turned off and only used GPS with WiFi while I was there. But if I know I used GPS in Hong Kong in order to make geotagged tweets and photos, shouldn't it show up in this log file? The answer is no, and the reason behind it should scare you.

Court order required—or not

From the end-user point of view, Apple only does one kind of location tracking, and it happens via GPS. The company makes sure to notify you on your iPhone or iPad every time you use an app that will grab your GPS location so that you're always informed of when you're being tracked. However, that's not all that's going on behind the scenes. Apple also triangulates your location from cell phone towers and logs that information in order to help get a faster GPS lock (or to find your location without GPS if you're getting bad GPS signal).

Allan and Warden point out in their iPhone Tracker FAQ that this is indeed the method Apple is using in the consolidated.db file, and this is also the reason users might see strange iPhone Tracker dots in places they haven't been.

"As far as we can tell, the location is determined by triangulating against the nearest cell-phone towers. This isn’t as accurate as GPS, but presumably takes less power," they wrote. "In some cases it can get very confused and temporarily think you’re several miles from your actual location, but these tend to be intermittent glitches."

Users don't get to decide whether their locations are tracked via cell towers or not—unlike GPS, there is no setting that lets users turn it off, there's no explicit consent every time it happens, and there's no way to block the logging. (Nitpickers will point out that you do give your consent to iTunes when you download and install iOS 4, but this is not treated the same way as the consent given to the iPhone every time an app wants to use GPS.) So, whether or not you're using GPS, if you're using your iPhone as a cell phone, you are being tracked and logged constantly without your knowledge. This is why my trip to Hong Kong wasn't logged (because I had all cell connections turned off while GPS was on), but my stop-over in Tokyo Narita on the same trip was logged (I had turned on my phone to make a quick call, but did not use GPS).

Of course, the fact that this data exists somewhere is nothing new. Cell companies have been tracking this triangulation information for their own purposes for years. In the US, however, regular people cannot access that data—law enforcement must obtain a court order before they can get it for an investigation, and your jealous spouse can't get it from the wireless company at all.

What the cellco has on you is now basically being mirrored in a file on your iPhone or iPad without any kind of encryption, and is also being copied to your computer. (Allan and Warden say that, according to their research, no other phones log triangulated cell locations in this way, including Android phones.) And, if you leave iTunes on the default syncing settings, your iPhone backups aren't being encrypted on the computer either, making tools like iPhone Tracker possible.

Who has access now?

So your iPhone—and probably your computer—now both have a file that mirrors data that was previously limited to law enforcement, which itself was only able to obtain it from a court order. Without encrypted backups, someone who has access to your computer can see your whereabouts. "By passively logging your location without your permission, Apple have made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movements," the team wrote.

But even if you check the box to encrypt your iPhone backups on the computer, the file is still unencrypted on your iPhone, and it wouldn't be hard for someone with ill intentions to access it.

"Anyone with a good jailbreaking tool could get it off the phone too. And of course my forensics tools," iPhone hacker and forensics expert Jonathan Zdziarski told Ars. "In fact even the old SSH worms (which are still effective on a large number of handsets) could be modified to collect this. It's part of the Core Location cache on the phone. So, it's not a covert, evil, Big Brother secret invisible file, but Apple has been administratively lazy in their programming, which is the root cause of most data leaks on the iPhone."

Security expert and repeatPwn2Ownchampion Charlie Miller was slightly less pessimistic about who can access the file, but agreed that it wouldn't be trivial for an experienced iPhone tinkerer.

"This file is only readable by root. That means that a rogue App Store app won't be able to read it. Even a bad guy who hacks into your browser won't be able to read it," Miller told Ars. However, remote hackers can make use of two separate exploits—a code execution exploit and a privilege escalation exploit—which Miller points out have been available before in the form of jailbreakme.com (a tool that allowed users to jailbreak their devices through a Web page on the Internet).

Although Apple makes an effort to patch security holes as they come up, the jailbreak community is constantly working on new ways to gain access to previously forbidden files—if something like Jailbreakme existed before, it could exist again.

"It is bad for privacy this file exists, especially when it doesn't seem to be linked to any particular feature that provides any benefit," Miller said. "[T]here is no easy way to wipe the data from it."

Implications for Apple

Zdziarski says the iPhone has actually been logging this location data for longer than a year, but it wasn't so easily accessible before the launch of iOS 4 in mid-2010.

"The iPhone has been keeping caches of user location data for quite some time now. iOS 4 made it a little easier to get to, but law enforcement has been using data like this since around 2009 to build evidence against criminals using the iPhone," Zdziarski told Ars. "Similar data has been cached in different files prior to iOS 4. [The cache revealed today] is a bit more aggressive and centralized, making it easier to access by normal folks."

Apple did not respond to our questions about how long it has been logging the location data, but it's clear that the reason the issue is coming to light now is because of this easy access. Zdziarski added that the iPhone in general "leaks like a sieve," and warned that consumers should consider the possible implications to their personal privacy with today's discovery.

Privacy advocates are taking things a step further by calling out Apple for abusing user trust. "Apple has some explaining to do. iPhone owners place a great deal of trust in Apple, and Apple has a responsibility not to abuse that trust," Princeton University Center for Information Technology Policy researcher and regular Ars contributor Timothy B. Lee said.

"This incident raises questions about whether Apple is serious about user privacy," Lee continued. "If this was an accident, Apple needs to fix the problem and put in place procedures to make sure it doesn't happen again. If the data is being collected deliberately, perhaps in preparation for a future product, Apple should have clearly notified users and given them an opportunity to opt out."

Apple told Congress last July that all location data collected by the iPhone remains private. According to Apple lead counsel Bruce Sewell, Apple does collect anonymous location data from iPhones in an effort to improve its own database of cell tower and WiFi hotspot locations, but that it only does this with user consent. The discovery made by Allan and Warden clearly shows that this is happening constantly without explicit consent like Apple treats GPS, however, and it sure isn't anonymous when it's accessible directly from the user's device.

So, is there anywhere you've been in the last year that you don't want anyone to know about?

Jacqui Cheng
Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more. Emailjacqui@arstechnica.com//Twitter@eJacqui

As scary as the privacy implications are, the people who I really wouldn't want to have access to that data already do (the government.) Geolocation is also pretty easy to do and relatively accurate, so any service you visit regularly that keeps logs of IP addresses could assemble the same information.

While it doesn't make me happy, privacy is effectively dead. There are so many parties tracking so much information about individuals that you won't be able to go through your day without a dozen companies and/or government agencies knowing exactly where you are. At this point it is likely more effective to tailor your behavior around that fact than to try to fight to protect it.

This piece seems a bit paranoid- there's no indication that Apple's actually collecting this information at all. It actually makes sense to have a file like this on the phone- if it can keep track of where you've been, it can make educated guesses based on that data when GPS signals are weak, and get a lock on your location much more quickly.

Great summary of this important bit of news Jacqui. Seems like one of those stories that could either fade away in a week or really catch on and bring a lot of heat on Apple. I hope this makes it to the mainstream media and Apple is forced to deal with it, instead of just ignoring it.

While the threat is not incredible serious that just anyone can track anyone with an iPhone, the fact that this is happening with no option and against the word of Apple's legal counsel makes it pretty important. Either Apple made a big oversight or they deliberately misinformed Congress.

They've previously stated that they use this info for service improvement if you elect to allow anonymous data reporting. Any news on whether this tracking file exists if you've opted out of reporting?

This piece seems a bit paranoid- there's no indication that Apple's actually collecting this information at all. It actually makes sense to have a file like this on the phone- if it can keep track of where you've been, it can make educated guesses based on that data when GPS signals are weak, and get a lock on your location much more quickly.

That's a decent reason to keep a log of locations for the past 5-10 minutes. It's not a good reason to keep an entire year's worth of locations.

"It is bad for privacy this file exists, especially when it doesn't seem to be linked to any particular feature that provides any benefit," Miller said. "[T]here is no easy way to wipe the data from it."

That's what I don't get. If Apple released an app that does wonderful, magical stuff with this data... it would be less bad for privacy? What if it turns out that this data somehow subtly but dramatically improves user experience? Let's say it makes calls much less likely to drop (ha, ha, I know, but bear with me). Would that change Miller's opinions of the privacy issues?

It *is* a privacy issue. It *may* have benefits. I mean, I paid $100 for a GPS device to carry on travels to geotag photos, and now it looks like I could get a similar benefit from just carrying my phone. But that's totally incidental to the privacy issue: if there were a checkbox to turn this on, I would have done so. It's the not having the disclosure or option that's the problem.

If you get picked up by the police for some reason, can they fish through your phone's data without a warrant? That is mostly what would worry me. Get pulled over for questioning, cops fish through the phone, and check to see if you happened to be near any recent crime scenes.

The headline is rather misleading. There's been no allegation that this data is being sent to Apple, it's being stored on your phone. A better (and less alarmist) description would be "How your iPhone tracks your location".

This piece seems a bit paranoid- there's no indication that Apple's actually collecting this information at all. It actually makes sense to have a file like this on the phone- if it can keep track of where you've been, it can make educated guesses based on that data when GPS signals are weak, and get a lock on your location much more quickly.

That's a decent reason to keep a log of locations for the past 5-10 minutes. It's not a good reason to keep an entire year's worth of locations.

On the contrary. It's much more useful over a long period of time. Most people tend to stay in the same geographic area for months at a time- if your phone can "learn" that area, it can consistently check those 100 square miles or so first, before it tries looking anywhere else.

As scary as the privacy implications are, the people who I really wouldn't want to have access to that data already do (the government.)

Really? I would be more concerned about people who could get the information of me or my family who has iPhone with untowards intentions; like waiting for everyone to leave the house to burgle it, kidnapping, waiting to assault me for whatever reason etc etc etc.

That said, if the info isn't being broadcasted, it doesn't really matter.

As scary as the privacy implications are, the people who I really wouldn't want to have access to that data already do (the government.) Geolocation is also pretty easy to do and relatively accurate, so any service you visit regularly that keeps logs of IP addresses could assemble the same information.

While it doesn't make me happy, privacy is effectively dead. There are so many parties tracking so much information about individuals that you won't be able to go through your day without a dozen companies and/or government agencies knowing exactly where you are. At this point it is likely more effective to tailor your behavior around that fact than to try to fight to protect it.

I think you're more than a little paranoid....even if all that is true I'd rather not let it consume my life (and sanity).

I don't think people will care. They post everything they do on Facebook and text/video/photograph every aspect of their lives for public consumption. And use services like Foursquare to post real time beacons of their location.

Could someone explain the "Why" a bit more please? Why is Apple doing this? Is it so they can help law enforcement with criminal activity tracking, as the article stated? Or is that just a side benefit? There's a huge empahsis on what they're doing, but I didnt' read much explaining why they're doing it.

"If you get picked up by the police for some reason, can they fish through your phone's data without a warrant? That is mostly what would worry me. Get pulled over for questioning, cops fish through the phone, and check to see if you happened to be near any recent crime scenes. "

Ars was going through articles a while back where whether a cellphone or computer confiscated during a frisk was allowed to get snooped into without a warrant. I can't remember the outcome of all that, but I do remember many folks were pretty adamant about encrypting their devices and conveniently forgetting the passwords if law enforcement ever stopped and quesitoned them.

Why it matters: It is eating up data on my phone, and bandwidth on a backup. That is pretty much it.

The other part of concerns….I just don’t get it? Given that it can get confused and be inaccurate likely means it’ll have little-to-no weight in court as well [assuming you have competent representation], if you ever find yourself in a situation where you need to worry about that.

is this any diff than the data cell towers use to handle traffic? or, the geo cache that helps location services work faster? what i find most interesting, is that the file is unencrypted, and readily accessible. three cheers towards transparency.

I don't think people will care. They post everything they do on Facebook and text/video/photograph every aspect of their lives for public consumption. And use services like Foursquare to post real time beacons of their location.

Yeah, but they're actively doing that, and choosing when and where. Lazy Apple software developers created a giant time & location database that no one knows about or can directly turn off. It just sits there on your computer and on your phone, ready for quick and easy access.

So When does Apple drag Researchers Alasdair Allan and Pete Warden into court for digging around into their iPhones, exposing a flaw/security risk/etc. to the public and then OMG, telling people about it and writing an app that lets you see it for yourself?

Unless I've misunderstood something, this is incredibly poor and sensationalized reporting by Arstechnica. Shame on you. I thought Ars was above click baiting. This is just plain pathetic. And this is after I just got done praising Ars for great coverage of HBGary. And this is coming from a self proclaimed privacy monger! I don't want anyone knowing my location.

There are valid concerns here but the headline appears to be completely false. Apple does not have the data in question.

The case for improved security would be more sound if this other nonsense wasn't thrown in. Hint, a more accurate headline would have been "How the iPhone Tracks Your Location"

Some of the commentators need to perhaps wake up a bit if I may say. What possible benefit to _you_ could storing location data of every place you have ever been in secret have? Do you think Jobs will personally call the cops when he notices that you're not at home by 9pm on gym-day Thursday? Get real.

*Apple* isn't collecting the data, a *device* (admittedly manufactured by Apple) is. As far as anyone has reported, the data remains on your phone and the host computer(s) you back it up to (where it can easily be encrypted), and is not transmitted to Apple, or anyone else for that matter. The concerns of remote exploits getting access to the data certainly have merit, but I'd be willing to bet that there is other insecure data on the phone and/or the host device that presents a far greater risk for the vast majority of folks than a location log.